Security vulnerabilities in ver. 0.9.0 through transitive dep commons-compress

redis / redis-om-spring

Spring Data Redis extensions for better search, documents models, and more

MIT License

572 stars 90 forks source link

Security vulnerabilities in ver. 0.9.0 through transitive dep commons-compress #412

Closed dxps closed 1 month ago

dxps commented 1 month ago

Dear all,

Have anyone considered this, please?

Refs:

CVE-2024-26308
CVE-2024-25710

Thanks!

Explicitly adding a newer version of that transitive dependency solves the case:

        <dependency>
            <groupId>org.apache.commons</groupId>
            <artifactId>commons-compress</artifactId>
            <version>1.26.1</version>
        </dependency>

bsbodden commented 1 month ago

Typically the CVE coming from Spring Boot or Spring Data Redis, we don't address and simply wait for them to be resolved upstream.